- Attackers abused Mimecast’s URL‑rewriting feature to mask malicious links in phishing emails
- More than 40,000 emails hit 6,000+ organizations, especially consulting, tech
- Campaign bypassed filters globally, with most victims in the US, though Mimecast says no flaw exists
Cybercriminals are abusing a legitimate Mimecast feature to deliver convincing phishing emails to their victims – at scale.
This is according to cybersecurity researchers Check Point, who claim to have seen more than 40,000 such emails being sent to over 6,000 organizations around the world, in a span of merely two weeks.
First, the crooks would create messages that closely resemble email notifications from reputable brands (SharePoint, DocuSign, or other e-signature notices), paying attention to the details such as logos, subject lines, and display names. Nothing in the messages stands out from routine notification emails.
You may like
Consulting, tech, and real estate targeted
At the same time, they would build phishing landing pages that capture credentials or deliver malware. These URLs are wrapped behind one or more legitimate redirect and tracking services, in this case – Mimecast.
Because this service rewrites links to route through a trusted domain, attackers submit their malicious links so the final email shows a Mimecast domain instead of the real destination.
As a result, phishing emails successfully move past email security solutions and filters, and land directly into their victim’s inboxes.
Check Point says that numerous industries were hit by this campaign, but a few – where contracts and invoices exchange is an everyday thing – were hit particularly hard. Those include consulting, technology, and real estate. Other notable mentions include healthcare, finance, manufacturing, and government.
The majority of the victims are located in the US (34,000), followed by Europe (4,500), and Canada (750).
Mimecast stressed that this is not a vulnerability, but rather a legitimate feature, that is being abused.
“The attacker campaign described by Check Point exploited legitimate URL redirect services to obfuscate malicious links, not a Mimecast vulnerability. Attackers abused trusted infrastructure – including Mimecast’s URL rewriting service – to mask the true destination of phishing URLs. This is a common tactic where criminals leverage any recognized domain to evade detection.”
Via Cybernews
The best antivirus for all budgets
Our top picks, based on real-world testing and comparisons
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
